Knowledge Center

Escrow Verification Services FAQ

Frequently Asked Questions

Overview

The value of an escrow arrangement is heavily dependent on the quality of
the deposit materials — a fact increasingly recognised by users and
developers. Over 70% of all deposits sent in to Iron Mountain for analysis
were determined to be incomplete and required additional input from the
developer in order to be compiled.

You can learn about Iron Mountain Escrow Verification Services at
www.ironmountain.co.uk/services/technology-escrow.

In addition, listed below are answers to frequently asked questions about Iron
Mountain’s escrow verification services. We’ve also included answers to
common questions about software development and licensing, including
definitions of technical terms.

Over 70% of all
deposits sent in to
Iron Mountain for
analysis were
determined to be
incomplete and
required additional
input from the
developer in order
to be compiled.

Iron Mountain Escrow Verification FAQ

Q.Why would I need Iron Mountain to verify my technology
escrow deposit?A. A technology escrow arrangement is an excellent vehicle to protect
all parties involved in licensing intellectual property, but the value of
the escrow arrangement is seriously compromised if the deposit
materials are incomplete. A thorough verification of the materials
provides assurance that, in the event of a deposit release, the
technology user (also known as the licensee or the escrow
beneficiary) would be able to read, recreate and maintain the
developer’s technology in-house — in essence, “step into the shoes” of
their vendor.

Iron Mountain’s experience has shown that over 70% of deposits sent
into Iron Mountain for analysis are incomplete, and therefore would
compromise that user’s ability to benefit from having access to the
deposit materials.

Most times the technology placed into escrow
is software source code, but other technology can be escrowed as
well. At Iron Mountain, we’ve escrowed secret formulas, a jet engine
and even a cookie recipe!

Q. What are some of the possible ramifications
of an incomplete deposit?A. Should there be a release of incomplete deposit
materials the following realities can result:

Q. How can Iron Mountain’s verification services
reduce my company’s risk?A. Iron Mountain’s verification services provide your
company with insight into the composition of your
escrow deposits. We identify what is needed to use
the technology, including anything that is missing
from your deposit. Iron Mountain can also recreate
the technology for you.

The information we collect through our analysis
is developed into an easy-to-read report, which
you can use as a guide to reconstruct the
technology from the deposit materials, should you
ever need to do so. Performing the testing to
recreate the product independently, away from the
developer’s office or environment , is a crucial
process as it replicates the conditions the
beneficiary will likely experience if there is an
issue with developer support.

Q. What does my company need to do to use
source code released from escrow?A. Your company must accomplish the following to
use source code released from escrow:

Obtain the deposit media provided to Iron
Mountain

Read the media

Understand and recreate the developer’s
software development environment (which is
often very complex)

Have access to all third party tools

Compile the source code

Recreate executable code

Install the code onto appropriate
“production” systems

Iron Mountain can perform one or more of these
tasks for you when software source code is placed
into escrow depending on the level of verification
you select. This verification process will ensure that
you can recreate these tasks if the source code
needs to be released in the future.

Q. W hen should the escrow deposit be verified?A. Iron Mountain recommends verifying a deposit at
the outset when the escrow account is established.
In all cases, verification should be performed
before a release condition has occurred, in order
to most effectively limit your exposure to risk.

Q. How frequently should deposits be tested?A. This requires a cost-benefit analysis. If there is
material change to the technology or if the risk
profile of the developer changes detrimentally,
new deposits should be verified. However, for
mission-critical applications, Iron Mountain
recommends testing each deposit update at some
level. In less critical cases, technology users
typically require testing with each major version
release or bug fix. Iron Mountain’s verification
service levels are designed to allow for the
maximum flexibility in protection during the life
of the technology and escrow.

Q. What problems does Iron Mountain typically
find with escrow deposits?A. Recent data on deposit testing has revealed the
following:

Over 70% of all deposits sent in for analysis
were determined to be incomplete.

92% of examined deposits required additional
input from the developer in order to be
compiled.

38% of all verified deposits did not contain any
configuration or build instructions, which are
critical to putting escrowed materials into
deployment.

As a result, much of the software source code
that is deposited into escrow is not “ready to
use” upon release. Iron Mountain verification
services ensure that any problems are resolved
before storing and protecting the software
source code. Without verification there could be
considerable delays with creating a functional
deposit.

Q. How does the verification process work?A. Prior to performing verification tests,
Iron Mountain requests that the software
developer (depositor) complete an escrow
deposit questionnaire (Exhibit Q). This enables
Iron Mountain to understand the scope of the
work required so that a detailed Statement of
Work (SOW) and cost estimate for the testing can
be prepared. The SOW is fixed price based on our
experience and good faith estimates that the
developer’s representations are accurate on build
times and adequacy of the instructions.

Upon execution of the Statement of Work, receipt
of payment and receipt of appropriate deposit
materials, Iron Mountain begins testing the
deposit. During testing, Iron Mountain notifies the
parties of its progress. Once the testing is
complete, Iron Mountain provides detailed reports
of its findings to all parties. Iron Mountain will
also follow up with a technical resource to review
the test results with the user of the technology.

Parties interested in requesting a verification
of deposited materials should contact their
Iron Mountain sales representative.

Intellectual Property Management

Q. What are the types of technical verification
offered by Iron Mountain?A.

Level 1 - Inventory and Analysis TestProvides a complete audit and inventory of your
deposit, including analysis of deposited media to
verify the presence of build instructions and
identification of materials necessary to recreate
the original development environment.

Level 2 - Compile Test Validates whether the
development environment can be recreated from the
documentation and files supplied in the escrow
deposit.

Level 3 - Binary Comparison Test
Tests the
functionality of the compiled deposit materials by
comparing the files built in compile testing to the
licensed, executable file running at your site.

Level 4 - Full Usability Test Confirms that the
source code placed in escrow will be fully functional in
the event of a release. We run a series of tests to
ensure that replicated software runs properly, and
then create a detailed report of these tests, which
includes demonstrations of the functioning software in
action.

Iron Mountain’s Verification Service Levels

Level 1
Inventory &
Analysis TestCan the environment be recreated?
Verify that information required to recreate the depositor’s
development environment has been stored in escrow

Level 4
Full Usability
TestDoes the software work properly?
Verify and confirm that the built application
works properly when installed

Q. How do I know which verification level I
need?A. Iron Mountain’s dedicated staff of verification
experts will consult with you to determine which
verification level best suits your requirements. The
recommended type of testing largely depends on
the criticality of your licensed technology and the
business risks of your developer.

Software Development and
Licensing FAQ

Q. What is source code?A. Source code is the written version of a software
application that is readable by programmers. It is
like a secret recipe and is often deemed a trade
secret. That’s why software development
companies do their best to protect their source
code – it is their most valuable piece of intellectual
property. Licensed software cannot be repaired or
upgraded without the source code.

Q. What is object code?A. Object code is the translation of source code into
a language that only computers can read. It
consists of a series of ones and zeros. Object
code is generally created by taking proprietary
source code and running it through a software
program that transforms the source code into
object code. Object code is then “bound” into
executable code.

Q. Why is it necessary to know what “third-party
software” is required to support the deposited
code?A. Third-party applications are utilised in nearly every
software development environment and are needed
to recreate the depositor’s executable code. A
beneficiary that does not know what additional
third-party software is needed to run in conjunction
with the source code will have an extremely difficult
time learning this on its own. Iron Mountain’s
verification process helps to identify third-party
applications that are required to build executable
code.

Q. What is executable code?A. Near the end of the software development process,
object code is linked or bound together with other
object code (which may be created by third parties)
to create executable code. Typically, executable
code is licensed to beneficiaries and installed in a
live operating environment. Software developers
feel confident in licensing executable code because
it is extremely difficult to reverse the process and
discover the nature of the source code by
examining the object code.

Q. How do typical software licensing
arrangements creat risk for licensees?A. Most software licences involve the licensing of
executable code and not source code, which is
needed to modify the technology. Because of this,
the software user (licensee) is only able to
correct bugs in the software, upgrade the
product, and maintain the software through the
software developer (licensor) – the only one who
has access to the source code. This puts most
software licensees in an extremely vulnerable
position, especially if the software vendor goes
out of business, is bought by a competitor, files
for bankruptcy, or discontinues providing
maintenance support for any reason. The most
widely used solution to this problem is to
establish a technology escrow account that
contains a copy of the source code and maintenance
materials needed to compile and
support the program.

Q. What unique risks do Software As A Service
(SaaS) Application Providers create?A. Since SaaS applications are running in the cloud,
and not on-premises in the beneficiary’s
environment, the operating environment is often
unfamiliar. Therefore, for SaaS environments,
information about the Application Service
Providers (ASPs) operating environment should
be included in the escrow deposit. In addition,
your company’s user data also must be placed in
escrow (since this also lives in the cloud) or other
arrangements need to be made ensure access to
the data. If these additional steps are not taken,
the escrow deposit will not be useful to you upon
release. Iron Mountain offers specific SaaS
escrow services designed at mitigating risks of
doing business with SaaS companies by
addressing application continuity, service
sustainability and unfettered access to data.

Q. What is included in a standard Iron Mountain
“inspection” of deposit materials?A. Iron Mountain opens every sealed escrow deposit
and visually checks the deposit materials against
the documentation provided by the developer
(depositor). This ensures that the description of
materials matches the deposit (Exhibit B). For
example, if the Exhibit B states that the deposit
should include three CDs and that those CDs are
labeled “A,” “B” and “C,” then Iron Mountain will
count the number of CDs in the deposit and
check that they are labeled correctly. Once the
visual inspection is completed, notifications are
sent to the parties according to the contract
terms.
Of course, this is only a visual inspection, and we
recommend adding additional verification
services for optimal protection.

Q. Verification next stepsA. By establishing an escrow arrangement with Iron Mountain, you have recognised that your licensed missioncritical
technology is an important aspect of your organisation’s business operations. Complementing your
escrow arrangement with verification services will help to mitigate potential risks by providing complete
intellectual property protection and management, and ensuring a more rapid recovery for your organisation
should circumstances require it.
To find out more information or to request verification services for deposited escrow materials, contact your
local Iron Mountain sales representative or call us on 08445 60 70 80.

About Iron Mountain. Iron Mountain Incorporated (NYSE: IRM) provides information
management services that help organisations lower the costs, risks and inefficiencies of
managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of
information assets, including backup and archival data, electronic records, document imaging,
business records, secure shredding, and more, for organisations around the world. Visit the
company Web site at www.ironmountain.com for more information.